The author provides five steps in preparing for the ISO 13485 certification process, and his insights and tips for each step are reviewed.
A LinkedIn connection of mine recently asked for sources of good guidance on ISO 13485 registration. I wrote a blog recently about Quality Management Systems in General, but I had trouble finding resources specific to the ISO 13485 registration process. Therefore, I decided to write a blog to answer this question.
Typically, people learn the hard way by setting up a system from scratch. The better way to discover it is to take a course on it. I used to teach a two-day course on the topic for BSI. The link for this course is http://bit.ly/Get13485; I shortened the link to the BSI website.
The only registrar I could find that described the process step-by-step was Dekra. I have copied their steps below:
ISO 13485 Certification: Inquiry to Surveillance in 5 Steps
An initial meeting between [THE REGISTRAR] and the client can take place on-site or via teleconference. At this time, the client familiarizes [THE REGISTRAR] with company specifics, and it’s quality assurance certification requirements; [THE REGISTRAR] explains its working methods and partnering philosophy, and previews the details of the process.
As a client, I have completed two initial certifications personally and three transfers, but I have only once had the sales representative visit my company. I think this process is typically accomplished by phone and email. If any registrars are reading this, you will close on more accounts if you visit prospective clients personally. The one that visited my company (Robert Dostert) has been on speed dial for almost a decade, and he’s received repeat business.
2. Application Form
The client chooses to move forward by filling out an online application form. Based on the information obtained during the inquiry stage, along with the application form, [THE REGISTRAR] prepares a quote, free of charge, for the entire certification process. A client-signed quotation or purchase order leads to the first stage of the certification process.
For both of the Notified Body transfers I completed, I completed application forms and requested quotes from multiple Notified Bodies. During the quoting process, my friend Robert was more responsive and able to answer my questions better than the competition. Robert was also able to schedule earlier audit dates than the competition. To this day, I am still amazed that Notified Bodies are not more responsive during this initial quoting process. All of the Notified Bodies are offering a certificate (a commodity). The customer service provided by each Notified Body, however, is not a commodity. Each Notified Body has its own culture, and every Notified Body has good and bad auditors. Therefore, you need to treat this selection process, just like any other supplier selection decision. I have guided this specific selection process on more than one occasion, but I am definitely biased.
3. Phase One: Document Review and Planning Visit
At this stage, [THE REGISTRAR] performs a pre-certification visit, which entails verifying the documented quality systems against the applicable standard. [THE REGISTRAR] works with the client to establish a working plan to define the [THE REGISTRAR] quality auditing process. If the client wishes, [THE REGISTRAR] will perform a trial audit or “dress rehearsal” at this stage. This allows the client to choose business activities for auditing, and to test those activities against the applicable standard. It also allows the client to learn and experience [THE REGISTRAR] ‘s quality auditing methods and style. The results of the trial audit can be used toward certification. Most clients elect for one or two days of trial auditing.
Dekra’s statement that “The results of the trial audit can be used toward certification,” is 100% opposite from BSI’s policy. BSI calls this a pre-assessment. The boilerplate wording used in BSI quotations is, “The pre-assessment is an optional service that is an informal assessment activity intended to identify areas of concern where further attention would be beneficial and to assess the readiness of the quality management system for the initial formal assessment.” During these pre-assessments, BSI auditors explain that any findings during the pre-assessment will not be used during the Stage 1 and Stage 2 certification audits, and the client will start with a “clean slate.” Most of the clients I conducted pre-assessments for were skeptical of this. Still, most auditors are ethical and make every effort to avoid even the perception of biasing their sampling during Stage 1 and Stage 2 audits.
I highly recommend conducting a pre-assessment. You want an extremely thorough and tough pre-assessment so that the organization is well prepared for the certification audits. If the auditor that will be conducting the Stage 1 and Stage 2 audit is not available to do a pre-assessment, try to find a consultant that knows the auditor’s style and “hot buttons” well. FYI…You can almost always encourage me to do a little teaching when I’m auditing (I just can’t resist), and my “hot buttons” are CAPA, internal auditing, and design controls.
4. Phase Two: Final Certification Audit
Once the client’s documented systems have met the applicable standards, [THE REGISTRAR] will conduct an audit to determine its effective implementation. [THE REGISTRAR] uses a professional auditing interview-style instead of a simple checklist approach. This involves interviewing the authorized and responsible personnel as designated in the documented quality system.
For certification audits, ISO 17021 requires a Stage 1 and Stage 2 audit to be conducted. The combined duration of the certification audits must be in accordance with the IAF MD9 guidance document–which is primarily based upon the number of employees in the company. The “interview style” that Dekra is referring to is called the “Process Approach.” This is required in section 0.2 of the ISO 13485 Standard, and this is the primary method recommended by the ISO 19011 Standard for auditing–although other methods of auditing are covered, as well.
[THE REGISTRAR] arranges for surveillance audits semi-annually or annually, as requested by the client.
I highly recommend annual surveillance audits, because the short duration of surveillance audits becomes unrealistically short when the auditor is asked to split their time between two semi-annual visits. A few clients have indicated that the semi-annual audits help them by maintaining pressure on the organization to be ready for audits all year-round, and prevents them from procrastinating to implement corrective actions. This is an issue of management commitment that needs to be addressed by the company. Scheduling semi-annual surveillance audits don’t address the root cause. The only good argument I have for semi-annual cycles is if you have very large facilities that would have an audit duration of at least two days on a semi-annual basis.
The most important consideration related to scheduling surveillance audits is to ensure that you schedule the audits well before the anniversary date. I recommend 11 months between audits. By doing this, you end up scheduling the re-certification audits three months before the certificate expires. BSI has a different policy. They want auditors to schedule the first surveillance audit ten months after the Stage 2 audit, the second surveillance audit 12 months after the first surveillance audit, and then the re-certification audit must be scheduled at least 60 days before certificate expiration (i.e., – no more than 12 months after the second surveillance audit). No matter what, schedule early.
If you have additional questions about becoming ISO 13485 registered, please post a discussion question in the following LinkedIn subgroup: Medical Device: QA/RA. For example, on Monday, a new discussion question was posted asking for help with the selection of a Notified Body for CE Marking. You will need to become a member of the parent group (Medical Device Group)–if you are not already one of the 140,000+ members connected with Joe Hage. George Marcel and I manage this subgroup for Joe. George is out in the Bay Area, and I’m in the Green Mountains.